// notes/ PrivEsc — Linux
✅
PrivEsc Checklist
Cross-platform privilege escalation checklist.
#privesc#checklist
source · airouboss/oscp-prep-notes-2026 · methodology/checklists/privesc.md ↗Privilege Escalation Checklist
Windows Privesc
Quick Wins
-
whoami /priv→ SeImpersonate? SeBackup? SeAssignPrimaryToken? -
whoami /groups→ Backup Operators? Server Operators? DnsAdmins? -
cmdkey /list→ Saved credentials? →runas /savecred -
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Automated Enum
- Run
winPEAS.exe - Run
PowerUp.ps1:Invoke-AllChecks - Run
Seatbelt.exe -group=all
Services
- Unquoted service paths:
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows" - Writable service binaries: check
icaclson each path - Service DLL hijacking: check with procmon
- Modifiable service config:
accesschk.exe -uwcqv "Everyone" *
Registry
- AlwaysInstallElevated: check both HKLM and HKCU
- AutoRun programs with writable paths
-
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Scheduled Tasks
-
schtasks /query /fo LIST /v - Check for writable scripts called by tasks
Files & Creds
-
dir /s /b C:\Users\*.txt C:\Users\*.ini C:\Users\*.cfg C:\Users\*.xml 2>nul -
type C:\Windows\Panther\Unattend.xml -
type C:\inetpub\wwwroot\web.config - Check for KeePass databases:
dir /s /b C:\*.kdbx 2>nul - Check browser stored passwords
- FileZilla/WinSCP saved sessions
Token / Potato
- SeImpersonate → GodPotato, PrintSpoofer, SweetPotato
- Check for other user tokens:
incognito list_tokens -u
Linux Privesc
Quick Wins
-
sudo -l→ Check GTFOBins for each binary -
find / -perm -4000 -type f 2>/dev/null→ SUID binaries -
cat /etc/crontab && ls -la /etc/cron.*→ writable cron scripts? -
ls -la /etc/passwd→ writable? Add root user -
cat /home/*/.bash_history→ creds in history?
Automated Enum
- Run
linpeas.sh - Run
linux-smart-enumeration (lse.sh) - Run
pspyto monitor processes
Permissions
- SUID binaries → GTFOBins
- Capabilities:
getcap -r / 2>/dev/null - Writable
/etc/passwdor/etc/shadow - Writable systemd services
- Writable scripts in PATH
Cron & Processes
- Cron jobs running as root with writable scripts
- Tar wildcard injection
- PATH hijacking on cron scripts
- Monitor with
pspy64for hidden cron/processes
Sudo
-
sudo -l→ specific binary abuse -
env_keep+=LD_PRELOAD→ LD_PRELOAD hijack - Sudo version < 1.8.28 → CVE-2019-14287 (
sudo -u#-1 /bin/bash)
Group Memberships
-
id→ docker? lxd? disk? adm? - Docker group → mount host FS
- lxd/lxc group → privileged container
- Disk group → debugfs
- adm group → read logs for creds
Network & Services
- Internal services:
ss -tlnpornetstat -tlnp - MySQL running as root? UDF exploit
- NFS:
cat /etc/exports→ no_root_squash?
Kernel
-
uname -a→ check kernel version - DirtyCow, DirtyPipe, PwnKit
-
linux-exploit-suggester.sh
Files & Creds
- SSH keys:
find / -name id_rsa 2>/dev/null - Config files:
.env,wp-config.php,web.config -
.gitrepos:find / -name .git 2>/dev/null - Backup files:
find / -name "*.bak" -o -name "*.old" 2>/dev/null